CVE-2025-0723

Name of the Vulnerable Software and Affected Versions The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress versions up to, and including, 5.9.4.7

Description The issue is related to blind and time-based SQL Injections via the rid and search parameters due to insufficient escaping on user-supplied parameters and lack of sufficient preparation on existing SQL queries. This allows authenticated attackers with Subscriber-level access and above to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database.

Recommendations For versions up to, and including, 5.9.4.7, consider disabling the rid and search parameters in the affected plugin until a patch is available. Restrict access to sensitive database information to minimize the risk of exploitation. Avoid using the rid and search parameters in the affected API endpoints until the issue is resolved.